Understanding the Customizable Report

Results and Reports

The Customizable Report summarizes the security findings identified during the most recent policy scan, the application policy status, and recommendations to fix the findings.

You can download the Customizable Report from the Results page. It contains these sections:

Executive Summary

The Executive Summary section is a high-level description of your findings and policy status. It provides scan details such as the number of findings, the policy rules, the most frequently found CWEs, and the Security Quality Score. If you include Veracode Software Composition Analysis findings, it also provides a summary of SCA findings and third-party component license risk.

Policy Evaluation

The Policy Evaluation is a summary of your policy compliance. It provides the description and status of your policy, as well as the rules, scan requirements, and Security Quality Score for the latest scan.

Static Scan Details

The Static Scan Details section describes the scope of the scan, listing the application modules included in and excluded from the scan.

Changes from Last Scan

The Changes from Last Scan section describes changes in scope from the prior scan, listing all modules that changed since the previous scan.

Findings and Recommendations

The Findings and Recommendations section provides a list of findings by severity, in addition to descriptions and remediation advice for the findings. You can also view a list of Software Composition Analysis (SCA) findings by component with license risk details.

Approved, Proposed, and Rejected Mitigations

The Approved Mitigations, Proposed Mitigations, and Rejected Mitigations sections provide the mitigation history for findings in a specific mitigation status. It also provides the exploitability and location of each mitigated finding. For Veracode SCA, the report lists mitigations for vulnerabilities and licenses separately.

Veracode's Methodology

The Veracode's Methodology section provides a detailed explanation of several components of Veracode results, such as application security policies, the Veracode rating system, and manual assessments.